Missing ids on cloned images at Instageni

[Hussamuddin Nasir]

Hello ,
We have a student who has been trying to create an image on an
Instageni rack. He has added SNMP using apt-get which also adds a new
user called "snmp". But evertime he creates an image from the VM, the id
is missing. I remember this was an issue a long time back, but thought
it was fixed or am i wrong ?? Please let us know

--
cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team

-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu

University of Kentucky
**********************
-------------------------------------------------------------------

[Leigh Stoller]

> We have a student who has been trying to create an image on an Instageni
> rack. He has added SNMP using apt-get which also adds a new user called
> "snmp". But evertime he creates an image from the VM, the id is
> missing. I remember this was an issue a long time back, but thought it
> was fixed or am i wrong ?? Please let us know

There is an internal option to the CMV2 interface that tells the disk
imaging subsystem to update the password files so that new system accounts
are not deleted when the snapshot is created. It is called "update_prepare"
and is a boolean value. I can add that as a pass through on the AM
interface, but that will not go out for a while.

Leigh

[Hussamuddin Nasir]

Yes please add it to the AM API. And let us know when its in on all the
racks.

cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team

-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu

University of Kentucky
**********************
-------------------------------------------------------------------

[Brecht Vermeulen]

Leigh Stoller schreef op 7/07/2015 om 22:50:

is this the same as currently manually running on the node:

sudo su
/usr/testbed/lib/prepare -M


before creating the image or is there still a difference ?
(we currently use this way to avoid removing system users from passwd)

Brecht

[Leigh Stoller]

> is this the same as currently manually running on the node:
>
> sudo su /usr/testbed/lib/prepare -M

Yep, that will work.

Leigh

[Brecht Vermeulen]

Leigh Stoller schreef op 7/07/2015 om 22:50:

just another question: is there any reason to not execute this command
for each image creation automatically ? (by the tool or user or even by
the aggregate ?)

Brecht

[Nicholas Bastin]

On Tue, Jul 7, 2015 at 7:13 PM, Brecht Vermeulen <brecht.v...@intec.ugent.be> wrote:

just another question: is there any reason to not execute this command
for each image creation automatically ? (by the tool or user or even by
the aggregate ?)

There are definitely reasons not to do it, but I could easily be convinced that doing it should be the default.

--

Nick 

[Leigh Stoller]

> There are definitely reasons not to do it, but I could easily be convinced that doing it should be the default.

The main reason not to is so that we do not carry bad accounts forward from
image to image as users clone them to make new images. A bad account is
defined as one with a trivially cracked password, which happens on an
amazingly regular basis.

Leigh

[Nicholas Bastin]

There are also a bunch of ways in which these accounts get created but not deleted if the things that use them go away.

That being said, and I've been wondering this for a while - why do the default images allow password login AT ALL?  It would actually greatly streamline the user experience if they didn't, because then users would not get the confusing "password" prompt when they think it's an ssh "passphrase" prompt, it would simply fail (and be a lot easier to explain).

--

Nick 

[Leigh Stoller]

> That being said, and I've been wondering this for a while - why do the default images allow password login AT ALL? It would actually greatly streamline the user experience if they didn't, because then users would not get the confusing "password" prompt when they think it's an ssh "passphrase" prompt, it would simply fail (and be a lot easier to explain).

Because the standard images are used by more then just geni racks, they
get used on pretty much all Emulab based sites. Turning off password
authentication may not be the right thing for every one of those sites.

I suppose it could be a boot time configuration thing …

Leigh

[Nicholas Bastin]

On Wed, Jul 8, 2015 at 12:26 PM, Leigh Stoller <lbst...@gmail.com> wrote:

Because the standard images are used by more then just geni racks, they
get used on pretty much all Emulab based sites. Turning off password
authentication may not be the right thing for every one of those sites.

I suppose it could be a boot time configuration thing …

It would certainly really help GENI users if SSH never fell back to password login.

--

Nick 

[Sarah Edwards]

I suppose it could be a boot time configuration thing …

It would certainly really help GENI users if SSH never fell back to password login.

Sorry to pipe in late.  I strongly agree with Nick on this.  

I always teach new GENI experimenters that "if you are prompted for a password something has always gone wrong".  (Meaning either they didn't offer their private key to the ssh session OR something went wrong and their public key wasn't loaded on the node and they should ask for help or try again.) 

I can't speak to priorities and I'm only speaking for myself, but if this issue magically went away (especially on default images) it would be an very good thing. 

*******************************************************************************

Sarah Edwards

GENI Project Office

BBN Technologies

Cambridge, MA

phone:    (617) 873-2329

email:    sedw...@bbn.com

[Hussamuddin Nasir]

Hi Leigh,
Has this been pushed to the racks ?

cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team

-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu

University of Kentucky
**********************
-------------------------------------------------------------------

[Leigh Stoller]

> Hi Leigh,
> Has this been pushed to the racks ?

It will gout tomorrow.

Leigh

[Hussamuddin Nasir]

BTW what is the option for the AMAPI to enable this ?

cheers,

Hussam
(Hussamuddin Nasir)

Netlab Operations Team

-------------------------------------------------------------------
Laboratory for Adv. Networking Phone : (859)218-0059
James F Hardymon Building Fax : (859)323-3740
301 Rose Street, Rm 237 E-mail : na...@netlab.uky.edu
Lexington, KY 40506-0495 Web : http://www.netlab.uky.edu

University of Kentucky
**********************
-------------------------------------------------------------------

[Leigh Stoller]

> BTW what is the option for the AMAPI to enable this ?

Add “update_prepare” to the options array, any non-zero value.

Leigh